...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\"	transcript compatibility for postscript use.
...\"
...\"	synopsis:  .P! <file.ps>
...\"
.de P!
\\&.
.fl			\" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl			\" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u	\" move below the image
..
.de pF
.ie     \\*(f1 .ds f1 \\n(.f
.el .ie \\*(f2 .ds f2 \\n(.f
.el .ie \\*(f3 .ds f3 \\n(.f
.el .ie \\*(f4 .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie     !\\*(f4 \{\
.	ft \\*(f4
.	ds f4\"
'	br \}
.el .ie !\\*(f3 \{\
.	ft \\*(f3
.	ds f3\"
'	br \}
.el .ie !\\*(f2 \{\
.	ft \\*(f2
.	ds f2\"
'	br \}
.el .ie !\\*(f1 \{\
.	ft \\*(f1
.	ds f1\"
'	br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n 
.TH "\fBflow-tools\fP" "1"
.SH "NAME"
\fBflow-tools\fP \(em Tool set for working with NetFlow data\&.
.SH "DESCRIPTION"
.PP
Flow-tools is library and a collection of programs used to collect,
send, process, and generate reports from NetFlow data\&.  The tools
can be used together on a single server or distributed to multiple
servers for large deployments\&.  The flow-toools library provides an
API for development of custom applications for NetFlow export versions
1,5,6 and the 14 currently defined version 8 subversions\&.  A Perl and
Python interface have been contributed and are included in the distribution\&.
.PP
Flow data is collected and stored by default in host byte order, yet
the files are portable across big and little endian architectures\&.
.PP
Commands that utilize the network use a localip/remoteip/port designation
for communication\&.  "localip" is the IP address the host will use as a
source for sending or bind to when receiving NetFlow PDU\&'s (ie the destination
address of the exporter\&.  Configuring the "localip" to 0 will force the kernel
to decide what IP address to use for sending and listen on all IP addresses
for receiving\&.  "remoteip" is the destination IP address used for sending or
the expected address of the source when receiving\&.  If the "remoteip" is
0 then the application will accept flows from any source address\&.  The "port"
is the UDP port number used for sending or receiving\&.  When using multicast
addresses the localip/remoteip/port is used to represent the source, group,
and port respectively\&.
.PP
Flows are exported from a router in a number of different configurable
versions\&.  A flow is a collection of key fields and additional data\&.
The flow key is {srcaddr, dstaddr, input, output, srcport, dstport, prot,
ToS}\&.  Flow-tools supports one export version per file\&.
.PP
Export versions 1, 5, 6, and 7 all maintain {nexthop, dPkts, dOctets,
First, Last, flags}, ie the next-hop IP address, number of packets, number
of octets (bytes), start time, end time, and flags such as the TCP header
bits\&.  Version 5 adds the additional fields {src_as, dst_as, src_mask,
dst_mask}, ie source AS, destination AS, source network mask, and
destination network mask\&.  Version 7 which is specific to the Catalyst
switches adds in addition to the version 5 fields {router_sc}, which is
the Router IP address which populates the flow cache shortcut in the
Supervisor\&.  Version 6 which is not officially supported by Cisco adds
in addition to the version 5 fields {in_encaps, out_encaps, peer_nexthop},
ie the input and output interface encapsulation size, and the IP address
of the next hop within the peer\&.  Version 1 exports do not contain a
sequence number and therefore should be avoided, although it is safe
to store the data as version 1 if the additional fields are not used\&.
.PP
Version 8 IOS NetFlow is a second level flow cache that reduces the
data exported from the router\&.  There are currently 11 formats, all
of which provide {dFlows, dOctets, dPkts, First, Last} for the key
fields\&.
.PP
.PP
.nf
  8\&.1 -  Source and Destination AS, Input and Output interface
  8\&.2 -  Protocol and Port
  8\&.3 -  Source Prefix and Input interface
  8\&.4 -  Destination Prefix and Output interface
  8\&.5 -  Source/Destination Prefix and Input/Output interface
  8\&.9 -  8\&.1 + ToS
  8\&.10 - 8\&.2 + ToS
  8\&.11 - 8\&.3 + ToS
  8\&.12 - 8\&.5 + ToS
  8\&.13 - 8\&.2 + ToS
  8\&.14 - 8\&.3 + ports + ToS
.fi
.PP
Version 8 CatIOS NetFlow appears to be a less fine grained first level
flow cache\&.
.PP
.PP
.nf
  8\&.6 - Destination IP, ToS, Marked ToS, 
  8\&.7 - Source/Destination IP, Input/Output interface, ToS, Marked ToS, 
  8\&.8 - Source/Destination IP, Source/Destination Port,
        Input/Output interface, ToS, Marked ToS, 
.fi
.PP
.PP
The following programs are included in the flow-tools distribution\&.
.PP
\fBflow-capture\fP - Collect, compress, store, and
manage disk space for exported flows from a router\&.
.PP
\fBflow-cat\fP - Concatenate flow files\&.  Typically flow files
will contain a small window of 5 or 15 minutes of exports\&.  Flow-cat
can be used to append files for generating reports that span longer time
periods\&.
.PP
\fBflow-fanout\fP - Replicate NetFlow datagrams to unicast or
multicast destinations\&.  Flow-fanout is used to facilitate
multiple collectors attached to a single router\&.
.PP
\fBflow-report\fP - Generate reports for NetFlow data sets\&.
Reports include source/destination IP pairs, source/destination AS,
and top talkers\&.  Over 50 reports are currently supported\&.
.PP
\fBflow-tag\fP - Tag flows based on IP address or AS #\&.
Flow-tag is used to group flows by customer network\&.  The tags
can later be used with flow-fanout or flow-report
to generate customer based traffic reports\&.
.PP
\fBflow-filter\fP - Filter flows based on any of the export
fields\&.  Flow-filter is used in-line with other programs
to generate reports based on flows matching filter expressions\&.
.PP
\fBflow-import\fP - Import data from ASCII or cflowd format\&.
.PP
\fBflow-export\fP - Export data to ASCII or cflowd format\&.
.PP
\fBflow-send\fP - Send data over the network using the NetFlow
protocol\&.
.PP
\fBflow-receive\fP - Receive exports using the NetFlow protocol
without storing to disk like flow-capture\&.
.PP
\fBflow-gen\fP - Generate test data\&.
.PP
\fBflow-dscan\fP - Simple tool for detecting some types of network
scanning and Denial of Service attacks\&.
.PP
\fBflow-merge\fP - Merge flow files in chronoligical order\&.
.PP
\fBflow-xlate\fP - Perform translations on some flow fields\&.
.PP
\fBflow-expire\fP -  Expire flows using the same policy of
flow-capture\&.
.PP
\fBflow-header\fP - Display meta information in flow file\&.
.PP
\fBflow-split\fP - Split flow files into smaller files based on
size, time, or tags\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.PP
\fBflow-merge\fP by
Larry Lidz ellidz@eridu\&.uchicago\&.edu
.PP
Patches and other contribitions by a list too long to mention here\&.
.PP
\fBflow-tools\fP is avalable at
\fI (link to URL http://www.splintered.net/sw/flow-tools) \fR\&.
.PP
A mailing list is maintained at flow-tools@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-capture\fP(1)
\fBflow-cat\fP(1)
\fBflow-dscan\fP(1)
\fBflow-expire\fP(1)
\fBflow-export\fP(1)
\fBflow-fanout\fP(1)
\fBflow-filter\fP(1)
\fBflow-nfilter\fP(1)
\fBflow-gen\fP(1)
\fBflow-header\fP(1)
\fBflow-import\fP(1)
\fBflow-merge\fP(1)
\fBflow-print\fP(1)
\fBflow-receive\fP(1)
\fBflow-report\fP(1)
\fBflow-send\fP(1)
\fBflow-split\fP(1)
\fBflow-stat\fP(1)
\fBflow-tag\fP(1)
\fBflow-xlate\fP(1)
...\" created by instant / docbook-to-man, Tue 06 Aug 2002, 22:22
